The most general and progressive approach to shared information processing using personal computers is to join the computers into a local area network (LAN). LAN's facilitate data gathering and allow more efficient use of personal computer memory. However, these networks also provide favorable conditions for the rapid spread of programs known as computer viruses, and thus increase the risk of massive distortion of the information on the personal computer hard disks. LAN's are particularly vulnerable to computer viruses which distort information for the purpose of causing economic loss to the information owners. Because of the enormous losses caused by existing viruses and the continual introduction of new viruses, personal computers have to be equipped with protection subsystems which prevent the deliberate distortion of information. However, despite the wide variety of available file-protection subsystems, computer crime statistics indicate that computer viruses are as dangerous as ever and are still capable of causing enormous losses to personal computer users. Users of personal computers connected in LAN's have a much higher risk than users of isolated computers. Therefore, there is still an urgent need to improve the methods and means of protecting computer files, especially for LAN-linked computers.
An analysis of current methods and means of protecting computer files shows that the most reliable protection is provided by subsystems which use dedicated hardware to support the protection programs. One particularly effective way of protecting computer files is to use specialized processors acting as a connecting link between the central processor and the file storage device. A typical example of a highly reliable protection subsystem is the computer file protection subsystem developed and patented by Empirical Research System, Inc. (Computer File Protection System: International-Publication No. WO 90/13084, C06F 12/14. Application submitted Apr. 19, 1989, published Nov. 1, 1990). This subsystem can be accessed by the operating system for modifications only during installation. The hardware for this subsystem includes programmable external memory and a programmable external control device. The programmable control device is based on a digital microprocessor and is installed as an intermediate link between the central processor and the file storage device. The programmable control device monitors the control logic signals, the address signals, and the data signals formed by the central processor. An auxiliary memory stores file-access criteria established by the supervisor. The control device checks for file access authorization and prevents access attempts that do not meet the established criteria. The control device also reads the signatures of all the protected files and compares the signatures of the loaded files with the reference signatures. To store the file signatures, the controller creates a protected memory region that is inaccessible to the operating system. In the event of any deviation from the established protection criteria, the protection subsystem prohibits the use of the computer.
An obvious disadvantage of the above-described subsystem is that any user can view the disk directories. This circumstance permits complete viewing of the disk directories, and encourages unsanctioned activity by users wishing to study and distort the data of other users. Another obvious disadvantage of the above-described subsystem is that the hardware serving as the intermediate link between the central processor and the file storage device must be located on a board which connects to the file storage device or on the boards of other devices. As a result, this protection subsystem requires additional hardware and does not provide the most efficient use of the existing hardware.